I do something similar, and rely on "known" ports. Rather than using the list of known ports as in /etc/services, it's more useful to construct our own list of known ports based on what is actually used on our network. We have an advantage though in that our network is very much a closed system and tightly controlled. Anything below 1025 uses the services file, but above that we carefully analyse the application.
While working in another organisation - a broadband ISP with a high number of P2P file sharing, this kind of analysis was next to impossible. We still took a guess though, for example with e-Donkey the ports on both ends of the connection are random. If we didn't know what the ports were, then we put them into the "other" bucket, and put in an explanation that this includes P2P traffic, etc... I'm currently working through a similar issue with Outlook, which uses RPC and dynamic port allocations, however in all situations the following statements are true: 1) One end of the connection is a mail server 2) Neither port is below 1025. I'm not aware of any libraries that already do this for me, and would be surprised if there is one that is flexible enough for our needs. Cheers, Nathan -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sebastian Krieger Sent: Friday, 8 April 2005 8:27 AM To: [EMAIL PROTECTED] Subject: [Flow-tools] Convert into bidirectional flow data Hi, I'm using a few x86 boxes with fprobe and flow-tools installed to collect flows on our networks without exporting routers. In the last months I tried a lot of the well known tools for different kinds of reporting (accounting, incident management, security issues, etc.) based on the logfiles produced by flow-tools. When analysing raw flow data without any post processing (e.g. after a flow-print -f 5) it is sometimes really hard to interprete "who" was responsible for bidirectional seen connection, or better which was the source and which was the destination flow at the end. If you look at pcap data logged by tcpdump you should always be able to interprete the client and server role in a connection. If you have bidirectional logs for analyses it is much easier human readable. I already wrote some perl code for this conversion and tried lots of different ways to get correct bidir. data. I tried this based on ports, protocol, timestamps and so on, but at the end I had to accept the failure. For me the only way to get as much as possible good data is to do a propabilistic evaluation based on ports. For example a port 80 was more often used in the past then a port 1234 and for this bidir. seen connection it is more propabilistic that port 80 was the destination port. Based on this I currently do the determination of source and destination flow. For me this brings good results in approximately 90-95%. But this is unclean and you should never forget the possible failures. Does someone know a really good tool to do this kind of conversion? Is it really possible to determinate source and destination flows based on netflow data? (I'm using netflow v5). Thanks for all info! Sebastian _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools _____________________________________________________________________ This e-mail has been scanned for viruses by MCI's Internet Managed Scanning Services - powered by MessageLabs. For further information visit http://www.mci.com --- This email and any files transmitted with it are confidential to the intended recipient and may be privileged. If you have received this email inadvertently or you are not the intended recipient, you may not disseminate, distribute, copy or in any way rely on it. Further, you should notify the sender immediately and delete the email from your computer. Whilst we have taken precautions to alert us to the presence of computer viruses, we cannot guarantee that this email and any files transmitted with it are free from such viruses. _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
